Closed Bug 353079 Opened 14 years ago Closed 14 years ago

"Assertion failure: op == JSOP_LEAVEBLOCKEXPR ? ..." with WAY_TOO_MUCH_GC

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: igor)

Details

(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical?] js1.7)

Attachments

(2 files, 1 obsolete file)

This is with "prep patch for plan A, v7b" from bug 346642.  You must have WAY_TOO_MUCH_GC enabled to see the bug.

js> for (let a in [1]) let (x) { for(let y in ((function(id2) { return id2; })( '' ))) { } }

Assertion failure: op == JSOP_LEAVEBLOCKEXPR ? fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp - 1 : fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp, at jsinterp.c:6031
Assignee: general → igor.bukanov
I've diagnosed this, Igor is on it.  Should fix for 1.8.1.

/be
Flags: blocking1.8.1?
Attached patch Fix v1 (obsolete) — Splinter Review
The fix. It is the minimal version since it also moved parent checks, but it is easy to comment what is going on in this way.
Attachment #241501 - Flags: review?(brendan)
Attachment #241501 - Flags: review?(mrbkap)
Comment on attachment 241501 [details] [diff] [review]
Fix v1

r=me, please land ASAP.  The branch will need a different patch without JS_PUSH_TEMP_ROOT_OBJECT.

/be
Attachment #241501 - Flags: review?(brendan) → review+
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Attached patch Fix v2Splinter Review
A patch to commit that does not use the object form of tvr root to saty compatible with 1.8.1 branch.
Attachment #241501 - Attachment is obsolete: true
Attachment #241510 - Flags: review+
Attachment #241501 - Flags: review?(mrbkap)
Attachment #241510 - Flags: approval1.8.1?
Attachment #241510 - Flags: review?(mrbkap)
I committed the patch from comment 4 to the trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.297; previous revision: 3.296
done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #241510 - Flags: review?(mrbkap) → review+
Flags: in-testsuite+
Comment on attachment 241510 [details] [diff] [review]
Fix v2

Approved for RC3.
Attachment #241510 - Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.1? → blocking1.8.1+
I committed the patch from comment 4 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.68; previous revision: 3.181.2.67
done
Keywords: fixed1.8.1
Whiteboard: [sg:critical?] js1.7
verified fixed 1.8 20061011 dbg way too much gc builds on windows/macppc/linux
verified fixed 1.9 20061121 windows/linux
Status: RESOLVED → VERIFIED
Group: security
/cvsroot/mozilla/js/tests/js1_7/regress/regress-353079.js,v  <--  regress-353079.js
You need to log in before you can comment on or make changes to this bug.